Which security path do you want to choose?

While the CISOs may complain about too much of compliance related work, it is those compliance requirements that help them achieve what they want to. The regulators assume the role of the bad guy.

That integration of multiple security solutions and compliance have emerged as the top two challenges in our security survey should come as not much of a surprise to those tuned in. But even to the practitioners it may look a little surprising that six out of ten security leaders now report outside of IT organization.

A small part of that—like banking and insurance—may be driven by specific mandate from the sectoral regulators but the logic that prompts these regulators to go for such specification applies to others too. There’s an inherent conflict of interest between business-aligned IT which wants to do things faster and the risk-aligned security that wants to ensure that everything is in place.

While the CISOs may complain about too much of compliance related work, it is those compliance requirements that help them achieve what they want to. The regulators assume the role of the bad guy.

However, as many of the organizations have figured out, it is probably apt to divide the security roles into two – one operational IT security and one risk-based cyber security. I call it bi-modal security. Here, one set of security professionals ensures that what needs to be protected is protected in the best manner possible, while the other set is continuously scanning for new threats, new challenges and are even willing to take on the attackers in a combative role. Needless to say, the two sets of people need to be part of two teams. The first is essentially an extension of IT; the second could be part of Risk.

While the line between the two may not be as sharp in many organizations, informally, the roles are already getting separated.

As a security professional, you need to decide what track you want to pursue and acquire skills accordingly. More about this later.